The Rules for Strong Passwords Have Changed

By now, most of us are familiar with standard suggestions for strong passwords, which include using a combination of letters, numbers and special characters. We’ve also become used to systems asking us to update these passwords at regular intervals — say, every 90 days. Much of this advice stemmed from “NIST Special Publication 800-63, Appendix A,” and the author of that document, Bill Burr, recently offered up some updated commentary:

And when asked to change their passwords, many users end up making only small changes, such as altering a single character (like replacing a 1 with a 2). The problem? Hackers are aware of these behaviors and exploit them regularly.

So, what’s a better option?

The New Rule for Strong Passwords

Paul Grassi — a Standards and Technology adviser at the National Institute of Standards and Technology — has offered new guidance to people wondering how they should construct their passwords.

Instead of using complicated character patterns, the new rules suggest to use long passwords involving multiple words. Their length can make them more difficult to hack, yet stringing together familiar words — BananaOrbitAppleTilapia — can make it much easier for users to recall. That means less of a need to write them down (making them easier to steal) or using the same ones on multiple sites (allowing a successful hacker to access multiple accounts).

Businesses and other organizations that have password policy standards based on outdated guidance should move quickly to bring their policies up to date. That could mean using the newly suggested password construction methodology, or adopting the use of a password manager. Proper training on the new password rules should be offered as part of a privacy training curriculum, and identity management systems should be reconfigured.